<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
This page includes an insecure script that alerts "FAIL", but that script is blocked by CSP.
<script src="http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js"></script>
